>>>>> "JW" == Jerry Walsh <jerry at aardvark.ie> writes:
JW> At 11:13 26/04/01 +0100, you wrote:
>> So, every software package you install is cryptographically
>> signed by some trusted third party you have met in the flesh
>> and exchanged keys with?
JW> I didn't say anything about meeting the authors in the flesh
JW> and exchanging keys with them, i just said there's no
JW> authenticity on the thing at all - there's not even an attempt
JW> of it.
I brought up the whole "met in the flesh" thing because that's the
only way to do key exchange in a meaningful way. Debian's GPG
key-ring is constructed by people either meeting in the flesh or
supplying a few forms of ID to an existing Project member. Trusting
keys based on a widley-disseminated key fingerprint is less secure,
but not as bad as implicit trust.
JW> 99% of the software i install and maintain on my machine
JW> (freebsd) is from the ports which at least have an md5
JW> checksum on each file it downloads i'm not saying that itself
JW> is hugely secure nothing's secure but it just makes it harder
JW> for someone to start doing nasty stuff.
If someone takes the effort to penetrate a ports server and compromise
a package, they are unlikely to omit altering the file with the
checksums in it. The checksums are more a guard against damage in
transit than anything else.
>> You are no more exposed by running the go-gnome.sh than you are
>> by installing the packages.
JW> I've used debian once - i don't like but isn't there at least
JW> an md5 sum check done on the packages?
There is, but the Packages file, wherein the checksum lives, is part
of the same directory tree as the packages themselves. If the
packages are compromised, so are the checksums. The md5sums are not
an anti-tampering measure.
JW> With this go-gnome.sh you pass it directly to a root shell, no
JW> checks no nothing
Same as with debs, RPMs or indeed ports from the collection.
"Weaseling out of things is what separates us from the
animals ... except the weasel."
-- Emad El-Haraty
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!